Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 7 Jul 2019 15:42:58 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros membership application - Microsoft

On Sun, Jul 07, 2019 at 12:04:07PM +0300, Georgi Guninski wrote:
> On Sat, Jul 6, 2019 at 10:40 PM Solar Designer <solar@...nwall.com> wrote:
> > I suppose we could either give Microsoft this 1 month
> > off as you suggest based on Microsoft's track record of promptly dealing
> > with security issues in non-Linux products, or subscribe Microsoft to
> > linux-distros in August 2019 (or later).
> 
> Are you suggesting breaking the rules and giving microsoft
> a present of one month?

I don't view it as a present, but as us being reasonable.  The rules
don't require the 1 year track record to be for Linux specifically:

"Have a publicly verifiable track record, dating back at least 1 year
and continuing to present day, of fixing security issues (including some
that had been handled on (linux-)distros, meaning that membership would
have been relevant to you) and releasing the fixes within 10 days (and
preferably much less than that) of the issues being made public (if it
takes you ages to fix an issue, your users wouldn't substantially
benefit from the additional time, often around 7 days and sometimes up
to 14 days, that list membership could give you)"

I think both the wording and the goal of us having this requirement have
been met by Microsoft.  Sure we can wait 1 more month, but what for?

As I understand, your reason would be to hurt Microsoft a tiny bit out
of spite for their past actions.  That's not a valid reason.

A reason I consider valid has to do with what entity is to join the
linux-distros list.  If it's not Microsoft at large, but "Microsoft
Linux Systems Group" as it has just been suggested, then the wording
above would apply to that group, and we probably do need to wait 1 more
month in order not to set a precedent where some other company's distro
could also join with less than 1 year of track record of fixes for the
distro.  While I have no doubt the goal of the requirement has already
been met by Microsoft, we could be in a less obvious situation with some
other company.

So I suggest we subscribe "Microsoft Linux Systems Group" on August 8.

> What mailing list is best to discuss microsoft's involvement in
> GPL? (last time I checked LKLM was extremely high traffic)

I don't know.  Certainly not a list we host.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.